RedTeam Pentesting discovered that WebClientPrint Processor (WCPP) does
not validate TLS certificates when initiating HTTPS connections. Thus, a
man-in-the-middle attacker may intercept and/or modify HTTPS traffic in
transit. This may result in a disclosure of sensitive information and
the integrity of printed documents cannot be guaranteed.

Neodynamic's WebClientPrint Processor is a client-side application,
which allows server-side applications to print documents on a client's
printer without user interaction, bypassing the browser's print
functionality. The server-side application may be written in ASP.NET or
PHP while on the client-side multiple platforms and browsers are
supported.

Upon installation under Microsoft Windows, WCPP registers itself as a
handler for the "webclientprint" URL scheme. Thus, any URL starting with
"webclientprint:" is handled by WCPP. For example, entering

webclientprint:-about

in the URL bar of a browser opens the about box of WCPP.

Neodynamic prodvides an online demo for test printing at the following
URL:

http://webclientprint.azurewebsites.net/

If visited via HTTPS, the WCPP component on the client-side will try to
fetch the print job via HTTPS as well.

Proof of Concept
================

To simulate a man-in-the-middle scenario, an entry similar to the
following was appended to the "hosts" file:

Any modern browser displays a warning due to the invalid TLS certificate
presented by socat.

On the contrary, WCPP simply accepts any certificate it is presented
with, when, for examplem printing a demo TXT file. Such a request is
given in the listing below. The output has been shortened and wrapped
manually for better readability.

This shows that WCPP does not verify TLS certificates when establishing
HTTPS connections.

Workaround
==========

Affected users should disable the WCPP handler and upgrade to a fixed
version as soon as possible.

Fix
===

Install a WCPP version greater or equal to 2.0.15.910[0].

Security Risk
=============

WCPP does not verify TLS certificates when establishing HTTPS
connections. Man-in-the-middle attackers can therefore intercept those
connections with little effort. This may lead to a disclosure of
confidential information if sensitive documents are printed via WCPP.
Furthermore, the integrity of the printed documents cannot be guaranteed
as attackers are able to modify the documents in transit.

The described attack requires a man-in-the-middle position which is a
rather strong prerequisite. It is therefore estimated that the
vulnerability poses a medium risk.

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/